Friday 6 September 2013

Kaspersky Lab celebrates its housewarming

A housewarming party is always a great occasion, especially when the house is spacious, well-located and filled with happy people! Our HQ, where 1,600 of our 3,000 employees work, is just that kind of home.
home_title_EN
From the moment guests arrive there’s something special waiting for them at the entrances, where street art leaps out as if it’s in 3D. Having this artwork, along with other decorations, is possible because Kaspersky Lab owns not just the office buildings, but also the surrounding land. See the infographic.
In Russia, they say construction work can never be completed, only halted. And it’s true! The front desk and a museum, which is dedicated to almost two decades of our struggle against viruses, are not quite ready yet. However, we were still ready to hold the symbolic opening of our new office, with Eugene Kaspersky and Boris Levyant of ABD Architects cutting the traditional red ribbon to mark the end of the structural work.
Our new HQ, where 1,600 of our 3,000 employees work, is spacious, well-located and filled with happy people!
The office is near a river, with beaches and sports fields surrounding it, so the huge panoramic windows in the building offer a beautiful view that can be enjoyed by almost all employees. Meeting and service rooms are kept in the center of the building, meaning most staff members have their desks near a window. Along with being aesthetically pleasing, this approach is environmentally sound because we are able to use less electric lighting. Environmental systems were also applied to the server room of our office, and in winter it is cooled by the cold air from the street. But back to the views! We have to admit, the most picturesque one view in the building is from the balcony on the fifth floor, and Eugene Kaspersky’s office. This room is not extravagantly large or and over-furnished, since the head of Kaspersky Lab travels on business often and rarely holds meetings. However, there is an interesting collection of artifacts, ranging from the wreckage of the Ferrari car recently broken in the Moscow City Racing event to a collection of exotic headgear, and the first version of Kaspersky’s anti-virus program on a floppy disk.
Of the two buildings at headquarters, one is entirely occupied by our developers, as they make up a third of Kaspersky Lab’s staff. All over the office different people display different decorations on their desks, but a large number of Apples and plush green robots immediately highlight the attention the company pays to protecting Android and Mac.
Research & Development, one of the biggest divisions in the company, can be proud of its new, specially-equipped, egg-shaped hall in which analysts are constantly on the watch for virus epidemics, updating malware databases and keeping a close eye on the Internet. It looks like a space mission control center, and all of our guests have been quite impressed by it.
The nearby recreation room with fitness machines, a game console and a table hockey game is not the only place where employees can relax and keep themselves in good physical shape. The large gym, sauna and massage room are also very popular. And right outside the window we have the beach, basketball court, mini football pitches and a swimming pool.
Of course, there are numerous recreational areas with coffee machines around the office and a large dining area as well. But that’s not all. The coffee shop on the ground floor is not finished yet, but it is already decorated: the guests of the housewarming party created an art installation made of obsolete computer parts for its walls.
The fitness room is not the only place for a healthy lifestyle. Employees can also enjoy sports facilities on site, cycle racks are available for those who wish to cycle to work and the beach and swimming pool are nearby. And it is very pleasant just to a walk in the park in the summer. With the help of our friends from the media, we also have a new plot of plants under the walls of the office to take care of as well.
In Russia they say that every man must build a house, plant a tree and raise a child. Well, the house has been built, the tree has been planted … raising children is a bit out of place in the office, so instead we promise to raise more dedicated fighters against computer threats!

Kevin Mitnick Details Modern IT Threats



One of the most infamous hackers of all time talks about Website security and what users should do to protect themselves.
In the world of computer security hackers, few are as well-known as Kevin Mitnick. Mitnick's activities in the mid-1990s led to his arrest by the FBI and subsequent imprisonment. Today he works as a security consultant with his own firm, Mitnick Security Consulting.

In a video interview with eWEEK, Mitnick discusses what his firm does and how he now works to help organizations secure themselves.

As a well-known security professional, Mitnick's Website is the target of constant attacks.

"I run a security company, so it's quite embarrassing to have my business Website defaced," Mitnick said.


After being kicked off his former Website hosting provider, Mitnick today hosts his site with secure cloud hosting vendor Firehost, which he said is doing a good job for him.

Mitnick also discusses the most dangerous types of attacks today, which for him are all about social engineering.

"It takes one employee to make a bad business decision and it's game over," Mitnick said.

While there are lots of social engineering threats online today, Mitnick also has a few ideas on how both consumers and enterprises can protect themselves. For consumers, he suggests that they use Google Docs to open attachments, instead of just simply opening them up with a desktop client. For enterprises, he suggests user training and education to make sure they understand what not to click.

In the final analysis, Mitnick agrees that it is users who are often the weak link in security.

VIDEO: One of the most infamous hackers of all time talks about Website security and what users should do to protect themselves.

In the world of computer security hackers, few are as well-known as Kevin Mitnick. Mitnick's activities in the mid-1990s led to his arrest by the FBI and subsequent imprisonment. Today he works as a security consultant with his own firm, Mitnick Security Consulting. In a video interview with eWEEK, Mitnick discusses what his firm does and how he now works to help organizations secure themselves. As a well-known security professional, Mitnick's Website is the target of constant attacks. "I run a security company, so it's quite embarrassing to have my business Website defaced," Mitnick said.
Unleashing the Power of PaaS to Harness the Cloud
After being kicked off his former Website hosting provider, Mitnick today hosts his site with secure cloud hosting vendor Firehost, which he said is doing a good job for him.
Mitnick also discusses the most dangerous types of attacks today, which for him are all about social engineering. "It takes one employee to make a bad business decision and it's game over," Mitnick said. While there are lots of social engineering threats online today, Mitnick also has a few ideas on how both consumers and enterprises can protect themselves. For consumers, he suggests that they use Google Docs to open attachments, instead of just simply opening them up with a desktop client. For enterprises, he suggests user training and education to make sure they understand what not to click. In the final analysis, Mitnick agrees that it is users who are often the weak link in security.
- See more at: http://www.eweek.com/security/kevin-mitnick-details-modern-it-threats.html#sthash.doOGaHEu.dpuf

IBM Closes Trusteer Acquisition, Establishes Cyber-Security Lab

IBM announced the close of its acquisition of Trusteer, a maker of cybersecurity software. Big Blue also plans to open a cybersecurity lab with Trusteer in Israel.
IBM announced the completion of its deal to acquire Trusteer, a privately held provider of software that helps protect organizations against fraud and advanced security threats.

The completion of the deal comes quickly on the heels of IBM's initial announcement of its plans to acquire Trusteer. On Aug. 15, IBM announced that it had entered into a definitive agreement to acquire Trusteer. Financial terms were not disclosed.

"The acquisition of Trusteer builds on more than 40 years of IBM's rich contribution to the security space," said Brendan Hannigan, general manager of IBM Security Systems, in a statement. "Trusteer will extend our data security capabilities further into the cloud, mobile and endpoint security space. This acquisition helps provide our clients with comprehensive network and endpoint anti-malware solutions."

Among the capabilities Trusteer will bring to the IBM security portfolio are comprehensive counter-fraud and advanced persistent threat (APT) protection. Trusteer's cyber-security protection scales to help protect tens of millions of endpoints, including smartphones and tablets. Malware and fraudulent activity can be identified and removed using solutions from Trusteer.


Trusteer also brings security-as-a-service technology delivered through the cloud. Cloud-delivered security solutions by Trusteer will complement more than 100 software-as-a-service (SaaS) solutions offered by IBM. Because Trusteer software can be delivered through the cloud, organizations can receive accurate, real-time updates on malicious activities and the latest threats, better protecting data from fraud and compromise.

The Trusteer technology also will help IBM secure mobile transactions. Trusteer can help provide account takeover prevention with compromised device detection, complex device fingerprinting and a global fraudster database.

"We've done a lot of work on how we protect an enterprise inside its own walls," Caleb Barlow, director of mobile security at IBM, told eWEEK. "And then over time with things like BYOD we've reached out to how do you protect enterprise data on individual endpoints on mobile devices. But there really hasn't been a series of good answers for how do I protect a transaction.

"And if we also think about online brands, whether that is a retail company you're buying something from or an insurance company you're working with, a big portion of the value of that brand is now associated with trust," Barlow said. "If you can trust that brand, if you can trust them with your data, it's going to make a big difference in who you choose to do business with. So by acquiring this company, it gives us the ability to bring trust into these relationships around the transactions that you as the consumer make."

Also announced Aug. 15, IBM is forming a cyber-security software lab in Israel that will bring together more than 200 Trusteer and IBM researchers and developers to focus on mobile and application security, advanced threat protection, malware, counter-fraud and financial crimes. This lab is an addition to IBM's existing research and development facilities in Israel.

"This acquisition is further proof that IBM is serious about providing clients with the security intelligence capabilities to help protect organizations in a constantly evolving threat landscape," said John Johnson, global security strategist at John Deere, in a statement. "As part of IBM, Trusteer's counter-fraud capabilities, along with the creation of a cyber-security software lab, will help make advances in counter-fraud and malware protection."

IBM provides the security intelligence to help enterprises protect their people, data, applications and infrastructure. IBM operates a broad security research and development organization. The company manages and monitors 15 billion security events every day for nearly 4,000 clients around the world and holds more than 3,000 security patents.

"At the end of the day the biggest enemy in all of this is you, the end user, where you accidentally click on that link that looks all too compelling and the next thing you know your workstation is chock full of malware," Barlow said. "So this really provides that level of protection for the consumer and the ability for the brands that are offering this service to protect their brand and their customers' data."

IBM announced the close of its acquisition of Trusteer, a maker of cybersecurity software. Big Blue also plans to open a cybersecurity lab with Trusteer in Israel.

IBM announced the completion of its deal to acquire Trusteer, a privately held provider of software that helps protect organizations against fraud and advanced security threats. The completion of the deal comes quickly on the heels of IBM's initial announcement of its plans to acquire Trusteer. On Aug. 15, IBM announced that it had entered into a definitive agreement to acquire Trusteer. Financial terms were not disclosed. "The acquisition of Trusteer builds on more than 40 years of IBM's rich contribution to the security space," said Brendan Hannigan, general manager of IBM Security Systems, in a statement. "Trusteer will extend our data security capabilities further into the cloud, mobile and endpoint security space. This acquisition helps provide our clients with comprehensive network and endpoint anti-malware solutions." Among the capabilities Trusteer will bring to the IBM security portfolio are comprehensive counter-fraud and advanced persistent threat (APT) protection. Trusteer's cyber-security protection scales to help protect tens of millions of endpoints, including smartphones and tablets. Malware and fraudulent activity can be identified and removed using solutions from Trusteer.
Top Security Threats for 2013
Trusteer also brings security-as-a-service technology delivered through the cloud. Cloud-delivered security solutions by Trusteer will complement more than 100 software-as-a-service (SaaS) solutions offered by IBM. Because Trusteer software can be delivered through the cloud, organizations can receive accurate, real-time updates on malicious activities and the latest threats, better protecting data from fraud and compromise.
The Trusteer technology also will help IBM secure mobile transactions. Trusteer can help provide account takeover prevention with compromised device detection, complex device fingerprinting and a global fraudster database. "We've done a lot of work on how we protect an enterprise inside its own walls," Caleb Barlow, director of mobile security at IBM, told eWEEK. "And then over time with things like BYOD we've reached out to how do you protect enterprise data on individual endpoints on mobile devices. But there really hasn't been a series of good answers for how do I protect a transaction. "And if we also think about online brands, whether that is a retail company you're buying something from or an insurance company you're working with, a big portion of the value of that brand is now associated with trust," Barlow said. "If you can trust that brand, if you can trust them with your data, it's going to make a big difference in who you choose to do business with. So by acquiring this company, it gives us the ability to bring trust into these relationships around the transactions that you as the consumer make." Also announced Aug. 15, IBM is forming a cyber-security software lab in Israel that will bring together more than 200 Trusteer and IBM researchers and developers to focus on mobile and application security, advanced threat protection, malware, counter-fraud and financial crimes. This lab is an addition to IBM's existing research and development facilities in Israel. "This acquisition is further proof that IBM is serious about providing clients with the security intelligence capabilities to help protect organizations in a constantly evolving threat landscape," said John Johnson, global security strategist at John Deere, in a statement. "As part of IBM, Trusteer's counter-fraud capabilities, along with the creation of a cyber-security software lab, will help make advances in counter-fraud and malware protection." IBM provides the security intelligence to help enterprises protect their people, data, applications and infrastructure. IBM operates a broad security research and development organization. The company manages and monitors 15 billion security events every day for nearly 4,000 clients around the world and holds more than 3,000 security patents. "At the end of the day the biggest enemy in all of this is you, the end user, where you accidentally click on that link that looks all too compelling and the next thing you know your workstation is chock full of malware," Barlow said. "So this really provides that level of protection for the consumer and the ability for the brands that are offering this service to protect their brand and their customers' data."
- See more at: http://www.eweek.com/security/ibm-closes-trusteer-acquisition-establishes-cybersecurity-lab.html#sthash.lYU0dILj.dpuf

'Hand of Thief' Banking Trojan Targets Linux

Malware
Still in development, the malware aims to allow criminals to steal funds from the bank accounts of Linux users and comes with anti-security features.
Cyber-criminals developing malicious software commonly target the Windows operating system, only occasionally aim for Apple's Mac OS X, and very rarely look to compromise desktop systems running Linux.

Yet one developer is doing just that, according to an analysis published by security firm RSA on Sept. 3. The "Hand of Thief" Trojan aims to allow cyber-criminals to compromise more than a dozen different flavors of Linux and grab information from the systems. However, the nascent banking Trojan still is rife with issues and does not have all the necessary features to be an effective attack tool, Yotam Gottesman, senior security researcher with RSA's FraudAction Research Labs, told eWEEK.

"It is a work in progress," he said. "It's very early on in the development process."

Hand of Thief is a departure for attackers: While cyber-criminals have targeted Linux-based Web servers–especially those running open-source content management systems such as Wordpress, Drupal or Joomla–they typically have not created programs to focus on desktop Linux systems.


In early August, RSA described the Hand of Thief Trojan based on claims by the developer that it would run on 15 different desktop Linux distributions and run under eight different windowing environments. Since then, the company has obtained binaries for specific environments and the source code for the command-and-control software. In its analysis released this week, the company concludes that the Trojan is far from ready for distribution. It only runs, for example, on 32-bit Linux distributions and relies on hard-coded configurations to tailor its targeting.

The software comes with a tool, or builder, for creating malware clients that allows would-be cyber-criminals to create uniquely packed variants capable of fooling many signature-based security programs. In addition, Trojans created with the builder have some rudimentary features for detecting whether it is running inside a virtual machine.

The software is not yet active on the Internet, but RSA's researchers were able to obtain a copy and tested it on a machine running Fedora Linux and another running Ubuntu. On both systems, there were some major issues. When a user ran Firefox, the Trojan failed to collect any information, while under Google's Chrome browser, the Trojan did not have any mechanism for culling only the important information from the infected system.

"This means that the malware captured every single request from the browser in a very generic manner," Gottesman wrote in the analysis. "Grabbing requests in this manner will quickly clutter the drop server with useless data."

The software is currently being sold for $2,000, with the developer promising free updates. While the software is currently unfinished, it could eventually have full capabilities, including injecting content into banking Websites and better exfiltration and filtering features, the researcher said.

"Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data," Gottesman wrote in the analysis
Malware

Still in development, the malware aims to allow criminals to steal funds from the bank accounts of Linux users and comes with anti-security features.

Cyber-criminals developing malicious software commonly target the Windows operating system, only occasionally aim for Apple's Mac OS X, and very rarely look to compromise desktop systems running Linux. Yet one developer is doing just that, according to an analysis published by security firm RSA on Sept. 3. The "Hand of Thief" Trojan aims to allow cyber-criminals to compromise more than a dozen different flavors of Linux and grab information from the systems. However, the nascent banking Trojan still is rife with issues and does not have all the necessary features to be an effective attack tool, Yotam Gottesman, senior security researcher with RSA's FraudAction Research Labs, told eWEEK. "It is a work in progress," he said. "It's very early on in the development process." Hand of Thief is a departure for attackers: While cyber-criminals have targeted Linux-based Web servers–especially those running open-source content management systems such as Wordpress, Drupal or Joomla–they typically have not created programs to focus on desktop Linux systems.
Top Security Threats for 2013
In early August, RSA described the Hand of Thief Trojan based on claims by the developer that it would run on 15 different desktop Linux distributions and run under eight different windowing environments. Since then, the company has obtained binaries for specific environments and the source code for the command-and-control software. In its analysis released this week, the company concludes that the Trojan is far from ready for distribution. It only runs, for example, on 32-bit Linux distributions and relies on hard-coded configurations to tailor its targeting.
The software comes with a tool, or builder, for creating malware clients that allows would-be cyber-criminals to create uniquely packed variants capable of fooling many signature-based security programs. In addition, Trojans created with the builder have some rudimentary features for detecting whether it is running inside a virtual machine. The software is not yet active on the Internet, but RSA's researchers were able to obtain a copy and tested it on a machine running Fedora Linux and another running Ubuntu. On both systems, there were some major issues. When a user ran Firefox, the Trojan failed to collect any information, while under Google's Chrome browser, the Trojan did not have any mechanism for culling only the important information from the infected system. "This means that the malware captured every single request from the browser in a very generic manner," Gottesman wrote in the analysis. "Grabbing requests in this manner will quickly clutter the drop server with useless data." The software is currently being sold for $2,000, with the developer promising free updates. While the software is currently unfinished, it could eventually have full capabilities, including injecting content into banking Websites and better exfiltration and filtering features, the researcher said. "Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data," Gottesman wrote in the analysis
- See more at: http://www.eweek.com/security/hand-of-thief-banking-trojan-targets-linux.html#sthash.y4Ecb5xz.dpuf
Malware

Still in development, the malware aims to allow criminals to steal funds from the bank accounts of Linux users and comes with anti-security features.

Cyber-criminals developing malicious software commonly target the Windows operating system, only occasionally aim for Apple's Mac OS X, and very rarely look to compromise desktop systems running Linux. Yet one developer is doing just that, according to an analysis published by security firm RSA on Sept. 3. The "Hand of Thief" Trojan aims to allow cyber-criminals to compromise more than a dozen different flavors of Linux and grab information from the systems. However, the nascent banking Trojan still is rife with issues and does not have all the necessary features to be an effective attack tool, Yotam Gottesman, senior security researcher with RSA's FraudAction Research Labs, told eWEEK. "It is a work in progress," he said. "It's very early on in the development process." Hand of Thief is a departure for attackers: While cyber-criminals have targeted Linux-based Web servers–especially those running open-source content management systems such as Wordpress, Drupal or Joomla–they typically have not created programs to focus on desktop Linux systems.
Top Security Threats for 2013
In early August, RSA described the Hand of Thief Trojan based on claims by the developer that it would run on 15 different desktop Linux distributions and run under eight different windowing environments. Since then, the company has obtained binaries for specific environments and the source code for the command-and-control software. In its analysis released this week, the company concludes that the Trojan is far from ready for distribution. It only runs, for example, on 32-bit Linux distributions and relies on hard-coded configurations to tailor its targeting.
The software comes with a tool, or builder, for creating malware clients that allows would-be cyber-criminals to create uniquely packed variants capable of fooling many signature-based security programs. In addition, Trojans created with the builder have some rudimentary features for detecting whether it is running inside a virtual machine. The software is not yet active on the Internet, but RSA's researchers were able to obtain a copy and tested it on a machine running Fedora Linux and another running Ubuntu. On both systems, there were some major issues. When a user ran Firefox, the Trojan failed to collect any information, while under Google's Chrome browser, the Trojan did not have any mechanism for culling only the important information from the infected system. "This means that the malware captured every single request from the browser in a very generic manner," Gottesman wrote in the analysis. "Grabbing requests in this manner will quickly clutter the drop server with useless data." The software is currently being sold for $2,000, with the developer promising free updates. While the software is currently unfinished, it could eventually have full capabilities, including injecting content into banking Websites and better exfiltration and filtering features, the researcher said. "Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data," Gottesman wrote in the analysis
- See more at: http://www.eweek.com/security/hand-of-thief-banking-trojan-targets-linux.html#sthash.y4Ecb5xz.dpuf

Hesperbot – Technical analysis part II

Win32/Spy.Hesperbot  is a new banking trojan that has been targeting online banking users in Turkey, the Czech Republic, Portugal and the United Kingdom. For more information about its malware spreading campaigns and victims, refer to previous post. In this post we’ll cover the technical details of the malware, including the overall architecture, as well as the mobile component.

Overview

Like many other malware families, Win32/Spy.Hesperbot has a modular architecture. As the first step in infection, the victim downloads and runs a dropper component. The dropper is also protected by a custom malware packer and distributed in a ZIP archive.
Hesperbot diagram
Figure 1 – Hesperbot initial modules overview

The dropper’s role is to inject the main component – ‘core’ – into explorer.exe. The core then downloads and loads additional modules, plug-ins used to carry out malicious actions.
Win32/Spy.Hesperbot modules
Figure 2 – Description of Win32/Spy.Hesperbot modules
The various modules are available both as x86 and x64 variants according to the host system platform.
Selected internal functions of individual modules are available for other modules to use through a virtual method table (vtable).
We have reverse-engineered the malware components and will highlight the most interesting features in the following paragraphs. Most malware components were compiled using Visual Studio 2010 and written in the C programming language, but without using the C Run-Time library. While this isn’t the most sophisticated malware we’ve analysed, Win32/Spy.Hesperbot can’t be dismissed as amateurish.

Main Modules

dropper
The dropper can use one of several methods for injecting the core component into the address space of explorer.exe:
  • Starting a new instance of explorer.exe and patching its entry-point using NtGetContextThread to point to its own code (written using WriteProcessMemory). This can be done either directly or through an intermediate attrib.exe process.
  • Injecting itself into the actual explorer.exe using the elaborate Shell_TrayWnd/SetWindowLong/SendNotifyMessage trick used in PowerLoader and other malware. (Aleks Matrosov has published multiple blog posts about it recently, so I won’t go into details here.)
  • Injecting itself into explorer.exe using the common approach with CreateRemoteThread
Interestingly, the injection method is also based on whether the cmdguard.sys (Comodo) or klif.sys (Kaspersky) drivers are found on the system.
core
The core module, now running in the context of explorer.exe, handles communication with the C&C server and launching other plug-in modules. Typical malware functionality, such as writing to the Run Windows Registry key, is also handled by core.
In order to access the C&C server, Win32/Spy.Hesperbot.A uses either a hard-coded URL (different ones were seen in the variants used by the Czech, Turkish and Portuguese botnets) or generates new C&C URLs using a domain generation algorithm in case the first server is inaccessible.
The following information is sent to the command-and-control server:
  • Bot name based on the Computer Name
  • Botnet name – so far, we have seen “cz-botnet”, “tr-botnet”, “pt-botnet”, “uk-botnet” and “super-botnet” (used in early “beta” versions)
  • IP addresses of present network adapters
  • Names of active smart-cards
  • Information about installed Hesperbot plug-ins 
Hesperbot botnet identifier
Figure 3 – Botnet identifier in Hesperbot code
In return, the server can send:
  • A configuration file
  • Plugin modules
  • An arbitrary executable to run
  • A new version of itself
 Several technical details regarding the abovementioned functionality are worth mentioning. Firstly, the malware is able to enumerate smart cards present in the system using the SCardEstablishContext, SCardListReaders and SCardConnect API functions. Unlike more sophisticated attacks against smart cards (described by Aleks here and here), Win32/Spy.Hesperbot only collects smart-card names and doesn’t contain the ability to interact with them.
Secondly, the downloaded data (namely the configuration file and plugin modules) is encrypted using the Twofish cipher. The 256-bit key is a hash based on:
  • Computer Name
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion] “InstallDate”
  • Windows version
  • Processor architecture (x86, x64 or IA64)
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography] “MachineGuid”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion] “DigitalProductId”
For storing the downloaded data as well as other auxiliary binaries (e.g. the log created by the keylogger module), Hesperbot uses a randomly named subdirectory under %APPDATA%.

The core module can inject itself into all running processes. Furthermore, an undocumented trick of hooking UserNotifyProcessCreate is used when running inside csrss.exe, to ensure that the trojan’s code will be injected into every new process.

Mobile Component

It’s common nowadays that banking trojans also utilize mobile components (like ZitMo and SpitMo, for instance) in order to bypass banks’ out-of-band authentication through mTANs (Mobile Transaction Authentication Number).
In the web-inject scripts that we have seen so far, the malware injects code into the website, which prompts the user to install an application on their mobile phone. The victim is offered a dropdown list of phone models and after entering their phone number a link to download the mobile component is sent to their phone. Three mobile platforms are supported: Android, Symbian and Blackberry.
Support mobile platforms in web-inject Javascript
Figure 4 – Supported mobile platforms in web-inject JavaScript
We have analysed the Symbian and Android versions, but haven’t so far been able to obtain the Blackberry malware. The Symbian version supports a broad range of devices, including Symbian S60 3rd edition, Symbian S60 5th edition and the latest Symbian^3.
Both of the analysed mobile trojans exhibit similar functionality. First, there is an “activation procedure”. The web-inject JavaScript on the Hesperbot-infected computer generates a random “activation number”, which is displayed to the user. The user is supposed re-type the number when prompted by the mobile application. The mobile app then displays a “response code”, which is calculated from the activation number. The user is then asked to enter it back into the webpage on their computer for verification. (The injected script contains the same algorithm for calculating the response code as in the mobile component.) This functionality provides the attackers confirmation that the victim has installed the mobile component successfully and ties it with the bot infection.
Android/Spy.Hesperbot.A
Screenshot of Android component – Android/Spy.Hesperbot.A

As expected, the code, both in the Symbian and Android versions (and likely in the Blackberry version as well), registers a service that waits for incoming SMS messages and forwards them to the attacker’s phone number. This way the attacker will get the mTAN necessary for logging into the hijacked bank account.
The mobile code also implements the attacker’s ability to control the service remotely through SMS commands.
The Android component is detected by ESET as Android/Spy.Hesperbot.A and the Symbian version as SymbOS9/Spy.Hesperbot.A.

Other Functionality

Keylogger

The keylogger module intercepts key strokes by hooking the functions GetMessage and TranslateMessage in user32.dll. They are then written to a log file, along with the originating process module name and window title text. Afterwards, the log gets sent to the C&C server.

Screenshots and Video Capture

The screenshots and video capture is done by the httpi module, if specified in the configuration file.
The video capture functionality has been used by the Zeus banking trojan spin-off Citadel and provides the attackers with an even better overview of what’s happening on the victim’s screen. It’s implemented using Avifil32.dll functions AVIFileCreateStream, AVIFileMakeCompressedStream, AVIStreamWrite, etc.
Hesperbot's video capturing code
Figure 6 – Part of Hesperbot’s video capturing code
The more common screenshot functionality is implemented using the Gdi32.dll functions BitBlt, GetDIBits, etc.
Hidden VNC
The VNC functionality has previously been used in the infamous Carberp malware. (In fact, Carberp may have also been an inspiration to the Hesperbot creators after its source code leak.) It enables the trojan to create a hidden VNC server, to which the attacker can remotely connect. As VNC doesn’t log the user off like RDP, the attacker can connect to the unsuspecting victim’s computer while they’re working. The VNC session runs in a separate desktop (see CreateDesktop on MSDN), invisible to the user. The module also provides the attacker with the capability to launch a browser that’s installed on the host system. In this way, the attacker will also have access to all browser-associated data (cookies, sessions, etc.)

Kaspersky Helping Gaming Maker Get Hacking Right

There have been far, far too many inaccurate, cheesy and clichéd depictions of so-called hackers over the years in movies and TV. From “Swordfish” to “The Italian Job” and an unbearably long list of others, its clear that Hollywood doesn’t understand why cybercriminals or their craft. But the folks at video game maker Ubisoft Montreal are intent on getting it right with their latest release, and who better for game’s creators to enlist in the pursuit of that end game than Kaspersky Labs?
gaming_title_EN
The gaming company that has built its reputation on hugely successful series’ like “Assassin’s Creed” and “Splinter Cell” has partnered with Kaspersky Lab to make sure they get their depictions of cyber attacks right for their upcoming release, “Watch Dogs.”
Ubisoft game makers have enlisted Kaspersky Lab to make sure they get their depictions of cyber attacks right for their upcoming release, “Watch Dogs.”
“We’re working with Kaspersky Lab, a big security firm,” Dominic Guay, the senior producer for Ubisoft, told joystiq.com. “They have really hardcore experts there on hacking. We send them some of our designs and we ask them feedback on it, and it’s interesting to see what gets back. Sometimes they say, ‘Yeah, that’s possible, but change that word,’ or, ‘That’s not the way it works.’”
The game’s plot centers around a protagonist in a futuristic “smart city” version of Chicago, where ‘hacking’ is a shortcut to manipulating doors, cameras, cars and as to help the character maneuver through the dangerous urban landscape and to enact revenge on those out to get him. With it’s depth of knowledge cultivated through extensive research, as well as its long line of computer and Internet security products, Kaspersky is ideally positioned to lend the necessary advice to ensure “Watch Dogs” gets it right.
The game is slated for release on Nov. 22, 2013

Small businesses' BYOD practices leave them one cyber attack away from bankruptcy

Security padlock image
Inadequate bring-your-own-device (BYOD) policies are leaving small to medium-sized businesses open to attack by cyber criminals, according to security firm AVG.
AVG's SMB general manager Mike Foreman said despite progress in educating SMBs about basic network security, they are still woefully under-informed about the threats they face when using consumer devices, such as smartphones and tablets, for work purposes.
"Small businesses have probably just got their head around security within the network, but we've just rapidly changed their world, introducing mobile and tablets for SMB usage. SMBs are going to have to get their heads around that," he said
The AVG manager said the issue is doubly troubling as if they are successfully hacked, the cost of a data breach will cripple most SMBs. "The real big area for a small business is data privacy. This impacts all of us but for a small business to have data breaches, well it could be the end of their business. It is happening, we've seen it," he said.
AVG chief technology officer (CTO) Yuval Ben-Itzhak mirrored Foreman's sentiment, adding that attacks on mobile devices are troubling as they are another vector criminals can use to steal financial data.
"The main thing criminals are trying to do is get banking Trojans into the system so they can get login details for online banking. You don't see with SMBs any kind of espionage, they're too small it's all financially based. It's usually the stuff you can buy and customise, things like Zeus and SpyEye, all those families of malware," said Ben-Itzhak.
Ben-Itzhak highlighted the use by SMBs of free cloud services, such as Gmail and Dropbox, as another new trend requiring action. "We're seeing a trend with new businesses where their people are used to having everything in the cloud, they use things like Gmail and Dropbox for running the business," he said.
"From a security standpoint when people use these I think backup is important. This is because mess-ups happen, it happened with Gmail. Gmail had an 'event' where some people's messages were deleted and couldn't be recovered. So while these tools are very good for running a business as they save a lot on operation costs and remove a lot of complexity, they're not completely free. There is risk involved running them."
The AVG's warnings follow widespread rumblings within the security community for businesses to decrease their reliance on consumer-focused services such as Dropbox. Silent Circle's Mike Janke told V3 that businesses hoping to protect their customers' privacy cannot rely on services such as Google's Gmail.
Despite the negativity, Foreman said securing small business presents a golden opportunity for expansion. "From a small business point of view there are always going to be some bad guys coming after them, but I think those that show they can deal with them, that they can protect their customers, are going to have a real competitive advantage," he said
AVG is one of many firms to warn about the increased threat facing SMBs. Sophos director of technology James Lyne told V3 SMB websites have overtaken porn and gambling sites as cyber criminals' malware distribution tools of choice.

US and UK intelligence services cracked encryption standards for spying efforts

nsa
US and British intelligence services have reportedly cracked some of the most widely used encryption methods used to secure the web, according to leaked intelligence revealed by NSA whistleblower Edward Snowden.
The information, published in The Guardian and The New York Times, alleges that protocols including HTTPS and SSL – both widely used to protect user data when making secure transactions on the web – have been compromised.
Perhaps more worryingly, the documents state that the NSA "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" in a bid to insert vulnerabilities into commercial encryption systems to bypass encryption entirely.
However, the businesses involved were not revealed, creating a further atmosphere of distrust in an already paranoid industry.
A separate document also alleges the NSA had been introducing weaknesses into the security standards themselves, with the agency having its own modified version of a security standard approved for worldwide use in 2006 by the US National Institute of Standards and Technology.
Hotmail, Google, Yahoo and Facebook are all mentioned, with the UK's GCHQ agency tasked with accessing the encrypted traffic of these "big four" service providers.
The encryption-busting tactics used by the NSA reportedly receive in excess of $250m funding per year, with a decade-long programme of brute force supercomputer-based hacking making a major decryption breakthrough in 2010.
Another program codenamed "Operation Cheesy Name" was aimed at discovering vulnerable security certificates, which could then be exploited further.
The latest revelations will both vindicate the companies first implicated in the PRISM scandal – including Microsoft and Google – which repeatedly claimed that they had not been working with the security services to insert back-door code into their servers.
However, the news will in all likelihood raise big questions about which IT service providers and equipment manufacturers can be truly trusted with confidential data.
Vice president of the European Commission, Neelie Kroes, repeated the sentiment in July, saying previous revelations would damage parts of the US IT industry.
"If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either. If I were an American cloud provider, I would be quite frustrated with my government right now," she said.
The publications that broke the story also stated that they had removed some of the information about specific compromised security standards at the request of intelligence officials who were concerned that foreign targets would change their encryption methods.

Hesperbot – A New, Advanced Banking Trojan in the Wild

A new and effective banking trojan has been discovered targeting online banking users in Turkey, the Czech Republic, Portugal and the United Kingdom. It uses very credible-looking phishing-like campaigns, related to trustworthy organizations, to lure victims into running the malware.

The Story

In the middle of August we discovered a malware-spreading campaign in the Czech Republic. Our interest was first kindled by the site that the malware was hosted on – a domain that passed itself off as belonging to the Czech Postal Service – but more interesting findings followed.
Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known trojan.
Despite being a “new kid on the block”, it appears that Win32/Spy.Hesperbot is a very potent banking trojan which features common functionalities, such as keystroke logging, creation of screenshots and video capture, and setting up a remote proxy, but also includes some more advanced tricks, such as creating a hidden VNC server on the infected system. And of course the banking trojan feature list wouldn’t be complete without network traffic interception and HTML injection capabilities. Win32/Spy.Hesperbot does all this in quite a sophisticated manner.
When comparing the Czech sample to known malware in our collection, we discovered that we had already been detecting earlier variants generically as Win32/Agent.UXO for some time and that online banking users in the Czech Republic weren’t the only ones targeted by this malware. Banking institutions in Turkey and Portugal were also being targeted.
The aim of the attackers is to obtain login credentials giving access to the victim’s bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone. Keep reading for details on the malware spreading campaigns, their targets and for technical details on the trojan.

The Campaigns Timeline

The Czech malware-spreading campaign started on August 8, 2013. The perpetrators have registered the domain www.ceskaposta.net, which is very close to the real website of the Czech Postal Service, www.ceskaposta.cz.
1
Figure 1 – Registration date of ceskaposta.net
2
Figure 2 – Compilation timestamp of malware used in the Czech campaign
The domain was registered on August 7, 2013 and the first malware Hesperbot binaries (detected as Win32/Agent.UXO at first) distributed in the Czech Republic were compiled on the morning of August 8, 2013 and picked up by our LiveGrid® system moments later.
It’s probably not surprising that the attackers tried to lure potential victims into opening the malware by sending emails which looked as parcel tracking information from the Postal Service. Similar techniques have been used many times before (e.g. here and here). The filename used was zasilka.pdf.exe: “zasilka” means mail in Czech. The link in the email showed the legitimate www.ceskaposta.cz domain while pointing to www.ceskaposta.net, which many victims hadn’t noticed. Interestingly enough, the fake domain actually redirected to the real website when opened directly.
It should be noted that the Czech Postal Service responded very quickly by issuing a warning about the scam on their website.
3
Figure 3 – Warning about the fraudulent e-mails issued by the Czech Postal Service
While the Czech campaign was the one that caught our attention, the country most affected by this banking trojan is Turkey and Hesperbot detections in Turkey are dated even earlier than August 8.
Recent peaks in botnet activity were observed in Turkey in July 2013, but we have also found older samples that go back at least as far back as April 2013. During the analysis of the samples we found that they were sending debugging information to the C&C – an indicator that these variants were in the early stages of development. Additional research revealed that Turkey has been facing Hesperbot infections for some time now.
The campaigns used in Turkey are of a similar nature to the Czech campaign. The phish-like e-mail that was sent to potential victims purported to be an invoice (the file name is fatura in Turkish) from TTNET (the largest ISP in Turkey). A malicious file with a double extension – .PDF.EXE – was used here too. An analysis of this campaign has been published on the website of the Turkish National Information Security Program.
Only later in our research did we find that the malware operators have shifted their sights towards Portugal. Similarly to the Turkish campaign, the malicious files were disguised as an invoice from a local service provider with a very large market share, Portugal Telecom.
A variant designated to target computer users in the United Kingdom has also been found in the wild, but we cannot provide further details about its spreading campaign at the time of writing.
In the course of our research, we also stumbled upon an additional component used by Win32/Spy.Hesperbot. This malware, detected by ESET as Win32/Spy.Agent.OEC, harvests e-mail addresses from the infected system and sends them to a remote server. It is possible that these collected addresses were also targeted by the malware-spreading campaigns.

Targeted Banks and Victims

The configuration files used by the malware’s HTTP interception and injection module specify which online banking websites are to be targeted by each botnet.
Czech Republic
4
Figure 4 – Czech banks targeted by Hesperbot
Turkey
5
Figure 5 – Turkish banks targeted by Hesperbot
Portugal
6
Figure 6 – Portuguese banks targeted by Hesperbot
In the case of the Turkish and Portuguese botnets, the configuration files also included web-injects, i.e. pieces of HTML code that the trojan would insert into the banks’ web-pages when viewed on the infected PC. This was not present in the Czech configuration file that we found, so most probably only simple form-grabbing and keylogging functionality was used in that instance.
7_santandertotta_injected
Figure 7 – Malicious scripts injected into Portuguese bank website. Notice that the URL address is legitimate, including the HTTPS protocol.
According to our ESET LiveGrid® telemetry, as well as our hands-on research into the malware operation, we estimate that the number of people that may have fallen victim to the Hesperbot banking trojan is in the scale of tens in the Czech Republic and Portugal (respectively) and in the scale of several hundred in Turkey. Detection statistics per country are shown in the figure below. It has also come to our attention that victims in the Czech Republic have lost significant amounts of money as a result of infection by this malware. It’s quite possible that there are similarly unfortunate victims in Turkey and Portugal as well.
8
Figure 8 – Detection statistics of Win32/Spy.Hesperbot according to ESET LiveGrid

Security Cam Makers Sued When Video Feeds Go Public; Maybe You Shouldn't Use Networked Cameras

Image via Flickr user James UK
When you buy a shiny new network security camera, you expect that you're the only person who will see the feed. But as SecurityWatch readers know, that's not always the case. Now the Federal Trade Commission has announced a settlement with camera maker TRENDnet after consumers' video feeds wound up up online. The feds are calling it the first suit regarding the Internet of Things but maybe we should just stop buying these cameras.
The Charges
In a press release, the FTC enumerated TRENDnet's security shortcomigs that led to over 700 private video feeds being publicly accessible. According to the FTC, TRENDnet cameras did not establish any password requirements for their devices and transmitted user login information in plain text over the Internet. The company also stored login credentials in plain text on Android devices.
From reading the FTC statement, it's clear that the charges were hung on the fact that TRENDnet claimed that their products were secure. But it's clear that was far from the case, even after TRENDnet pushed out a software patch.
The statement crows that this was the first suit brought against a company marketing a product for the so-called Internet of Things, where even mundane devices are connected to the Internet. "The Internet of Things holds great promise for innovative consumer products and services," said FTC Chairwoman Edith Ramirez in the press release. "But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet."
Just how bad was the security situation? The statement describes what was available online for anyone to see. "The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives." Spooky.
We've Seen This Before
The issues with TRENDnet were first disclosed in 2010, said the FTC. But in the three years since the initial disclosure, other companies haven't managed to lock down their network security products either.
In mid-August, we brought you the story of one couple who had installed video baby monitors only to find that a hacker was using them to shout obscenities at their young daughter. The cameras in question had a security patch pushed out after launch that the victims didn't know about, probably similar to what happened with TRENDnet.
Before that, a presentation at Black Hat demonstrated how just about any camera could be taken over with minimum effort. During the demo, Craig Heffner placed a bottle of beer in front of a camera, fed the camera a static image of the scene, and then plucked the beer without being caught on video. It was a regular heist-movie maneuver.
Even more troubling was the fact that once in control of the camera, Heffner pointed out that he now had a foothold on his target's network and could do just about whatever he pleased. When asked how widespread the issue was, Heffner said that he had yet to find a camera that he couldn't hijack.
Enough Already
There's a lot to be gained by connecting more and more devices to the Internet, but it does open up new avenues of attack that can strike closer to home than ever before. DSLR cameras, networked office phones, even the camera on your laptop can be used by the determined attacker to reach out and touch your home.
Taking precautions is a good start: update your software frequently, and actually go out and check if there are updates for the devices you purchase. Create a password even when it's optional, and use a password manager like LastPass 2.0 or Dashlane 2.0 to create unique, complex passwords.
But for attacks like these, where the intimate interiors of our lives could be laid bare, I propose that we go a step further and make critical decisions about the products we purchase. If you're going to buy a computer with a built-in webcam, keep it covered when it's not in use. If you really need a security camera system, choose an old-school model that doesn't connect to the Internet.
With any luck, the FTC case will force vendors to be a little more careful before they roll out products. Or maybe they'll just slap a big ol' asterisk after the word "secure" on their packaging

Leaked GTA V Torrents Loaded With Sneaky, Costly Malware

Grand Theft Auto V
The fifth installment of the legendary (and controversial) sandbox shooters Grand Theft Auto is due out later this month, but some players are hoping to get in on the game early by downloading "leaked" copies of the game. Those who partook of the illicit downloads might end up paying a lot more than the price of the game, however.
What's The Scam
According to Bitdefender, what downloaders are actually getting is a nasty malware scam. During installation, you're asked to fill out a survey in order to receive a confirmation code. To finish the survey, you're prompted to send an SMS message to a shortcode.
The ears of careful readers familiar with our Android malware coverage should prick up, because that's a common scam among bad guys targeting the Android platform. Shortcodes, like the numbers used by the Red Cross to raise money, tell your mobile carrier to add a certain amount to your wireless bill. Bad guys use the same technology for evil by writing apps that secretly send SMS shortcodes that transfer money to them (or affiliates). Sometimes, Android malware creators will just create an official looking app and prompt users to send the codes themselves.
The GTA V malware shows that what is a good idea on Android can work just as well on a PC. According to Bitdefender, the GTA V malware is particularly insidious since it sets up recurring charges of "€1 per day until the service is stopped." The ammount charged is probably intentionally small, in the hopes that it will go unnoticed for weeks or months.
As nasty as they are, malicious shortcodes are tricky since they're localized by region. A shortcode from a Russian Android malware operation probably won't work on a US phone. That's not the case with this scam, says Bitdefender.
"The survey opens in a web browser and, therefore, is able to perform a geographic redirect to the webpage that corresponds to the area you are located in," said, Bitdefender Senior E-Threat Analyst Bogdan Botezatu. "This way, the scam is localized to the numbers that are available in the users' area."
Looking Legit
The criminals behind the malware have also gone to great lengths to make the installer and even the torrents look legit. "Crooks have integrated official wallpapers and artwork into the installation process," says Bitdefender. "These downloads are promoted by cyber-criminals by adding likes and positive comments from fake, duplicate accounts in order to make the download more credible."
Interestingly, the ISO file inside the torrent contains an actual game: The Cave, from DoubleFine productions. No word on whether or not it actually works, however.
Appearing legitimate is nothing new for malicious PC software—in fact, Trojanized PC applications are fairly common. Dressing up malware as something illegal, or disreputable, is also fairly common as victims are less likely to complain.
Staying Safe
The easiest way to avoid this malicious software is to not illegally download copies of GTA V. Especially when the game isn't launching until the middle of September, and no PC version has been announced. Come on, guys.
It's also a good idea to have some kind of anti-malware software on your computer. Bitdefender notes that the malicious installer shows up as "Trojan.GenericKDV.1134859" in their Editors' Choice award winning software Bitdefender Antivirus Plus (2014). Editors' Choice winners Norton AntiVirus (2013) or Webroot SecureAnywhere Antivirus 2013 would also do nicely.
Even if you haven't downloaded a GTA V installer, it's important to understand how this scam works so you can avoid similar ones in the future. For instance, it's highly unlikely that any legitimate company will ask you to text a shortcode in order to activate a product.
For those of you who have already fallen to this scam: your best bet is to contact your mobile provider and try to get the charges reversed or at the very least halted. Remember: every day you wait is $1.32 USD wasted.

Facebook spam “earning criminals $200m a year”, researchers claim

Two independent Italian security researchers have investigated the business behind Facebook spam – and estimate that the trade is worth around $200m a year.
The researchers – who previously investigated the “black market” in fake Twitter followers – looked at black-market websites which “sold” access to Facebook users. The scams work by encouraging Facebook users to join fake fan pages, then bombarding the victims with unwanted links.  The sites begin life as “real” fan sites, then spammers begin sending links promising offers such as “Free iPhones”, the researchers said. By tracking their use of URL shortening services such as Bit.ly, the researchers were able to track the number of clickthroughs to third-party sites.
“The spam posters get paid an average of $13 per post, for pages that have around 30,000 fans, up to an average of $58 to post on pages with more than 100,000 fans,” De Micheli said in an interview with The Guardian. “If we consider these two as extremes, the pages we analyzed generate a revenue of 18,000 posts per day, times the revenue per post – ranging from $13 to $58 – 365 days a year.”
The researchers spoke to scammers as part of their research – and some claimed that Facebook shied away from banning fan pages because of the amount of content they generated and shared.
“Facebook doesn’t ban us, simply because we generate the content on Facebook itself. Everyday I materialize funny, and interesting content full of phrases and so forth that is shared and liked by thousands of users,” said one in a Skype conversation, according to the Guardian’s report. “Without the fan pages Facebook would be an empty place. Tell me how many links do you see shared by your friends on your timeline everyday? You see – the answer is simple.”
Last week, Mr De Micheli unearthed malware which was spreading on Facebook in the guise of a browser plug-in, claiming that 800,000 had fallen victim.
“A few years ago, you’d tell your friends, don’t click on attachments,” Mr. De Micheli said. “Now, the same advice applies to browser add-ons.” Andrea Stroppa and Carlo De Michel previously spent months investigating the ‘grey market’ where Twitter followers are sold – and found dozens of firms selling followers, and even selling ‘retweets’ to make people appear interesting.

Windows 8 picture passwords “can be cracked”, researchers warn

The “picture passwords” used in Windows 8 machines are more vulnerable than Microsoft hoped, a research team claims. An analysis of more than 10,000 picture passwords found that a significant percentage could be cracked – due to the predictable “points of interest” that users chose.
The “gesture” passwords allow users to pick points in an image, instead of using a text-based password.
People tend to choose faces, colourful points and eyeglasses, so it’s often possible to “guess” such passwords, the team from Arizona State University and Delaware State University say, as reported by Information Week.  The team developed algorithms which could crack picture passwords with a high success rate.
In a paper presented at the Usenix Conference this month, “On the Security of Picture Gesture Authentication,” the reseearchers, computer science doctoral student Ziming Zhao and computer science master’s degree student Jeong-Jin Seo, along with Hongxin Hu, now an assistant professor of at Delaware State University, found that people’s choice of “gesture” password tended to follow patterns.
“By analying the collected passwords, we notice that subjects frequently chose standout regions (points of interest, PoIs) on which to draw,” the researchers say. “Only 9.8% subjects claimed to choose locations randomly without caring about the background picture. 60.3% of subjects prefer to find locations where special objects catch their eyes while 22.1% of subjects would rather draw on special shapes.”
“Our approach cracked 48.8% passwords for previously unseen pictures in one of our datasets,” the researchers say. Ahn’s team developed algorithms that could identify the points of interest which users were likely to choose for password patterns.
“Based on the user habits and patterns we created a ranked pattern dictionary,” he explains. Ahn created “password strength meters” – similar to those used on websites to rank typed passwords – to categorize picture passwords.
Ahn suggests, according to Information Week, that Microsoft could adopt such an approach – pointing out that even in Windows 8 adverts, users are selecting obvious, and easily guessable, “points of interest”.
“Our approach was able to crack a considerable portion of picture passwords in various situations,” the researchers write. “We believe the findings and attack results  could advance the understanding of background draw-a-secret and its potential attacks.”

Mobile banking apps pose “serious” safety risks, financial watchdog warns

Mobile banking apps pose an “important risk” to consumers as banks increasingly offer access to banking services via smartphones.
The Financial Conduct Authority, a British watchdog, is to investigate the risks posed by banking apps, according to a report by This is Money - particularly the threat of malicious apps that pose as genuine banking apps.
“One of the most popular ways for consumers to access mobile banking is by downloading a mobile banking application, or app, for their smartphone,” the FCA said in a statement. “While this provides some consumers with a convenient way of managing their money, it can also lead to the risk of malware.”
“This can occur if a consumer downloads an application that appears to be from a genuine payment provider but is actually malware designed to capture sensitive financial information. Malware is an important risk for firms to consider, as it can result in financial loss and undermine consumer confidence in mobile banking.”
The FCA said that many banks are already aware of the risks involved in allowing consumers to access sensitive information via apps.
“Many of the firms we have spoken to are aware of these potential issues and we have seen firms take steps to manage them. Examples include firms providing clear security information to consumers, issuing warnings to only download applications from official stores and providing antvirus software.”
The FCA also warned that the use of third-party providers for IT solutions could spell risks.
“For firms to successfully provide mobile banking services to their customers, they will be dependent on IT systems, technical expertise and detailed knowledge of the payments system. Many of the firms entering this market are using the specialised services of outsourcing partners,” the FCA said. “This leads to the risk that there may be a chain of companies involved in a customer’s transaction,resulting in a greater likelihood of a problem occurring.”

“Rogue cellular devices” could allow attackers to block texts, intercept calls – and “black out” areas

Attacks which “hijack” calls and block phone services for individual phone users or even whole city areas are possible, using a “rogue device” to attack cellular networks, according to Berlin researchers.
The attacks target the older GSM network – used by AT&T and T-Mobile in the U.S. – and would allow attackers to block texts, redirect calls – and even block off mobile phone service in whole urban areas, according to Nico Golde, Kevin Redon and Jean-Pierre Seifert of Technische Universitat Berlin.
The attacks only require cellphones with modified software – programmed to react slightly faster than consumer devices to the requests which cellphone towers send out, thus blocking calls and messages from their intended recipients, according to ComputerWorld.
“We show the feasibility and the implementation of cellphone firmware which is capable to steal a short message over-the-air and to perform denial of service attacks against mobile terminated services in GSM networks,” the researchers say, in a paper presented at the recent Usenix conference, entitled Let Me Answer That For You.
“We eventually assess the boundary conditions for a large-scale paging response attack in order to cause denial of service conditions within a large geographical area of a major city.”
The researchers tested their attacks using modified Motorola devices against GSM networks in Berlin.
The researchers admit that “the limitations of currently available hardware and software” make it difficult to test the attack against more modern 4G networks such as LTE and UMTS, but claim that the “root causes” of the vulnerabilities are also present in those networks.
“Mobile telecommunication has become an important part of our daily lives,” the researchers write. “Yet, industry standards such as GSM often exclude scenarios with active attackers. Devices participating in communication are seen as trusted and non-malicious. By implementing our own baseband firmware based on OsmocomBB, we violate this trust and are able to evaluate the impact of a rogue device with regard to the usage of broadcast information.
“Attacks against mobile terminated services are a minority,” the researchers write. “The he undisturbed operation of telecommunication networks is traditionally based ontrust. The inherent trust that each subscriber and participant in communication plays by the rules. Nonetheless, due to several available and modifiable software andhardware projects for telecommunication, this trust relationship has to be considered broken.”

BlackBerry signs up to FIDO anti-password alliance to seek new ways to keep data safe

BlackBerry has signed up to FIDO (Fast IDentity Online) Alliance – a group which is seeking to establish new methods to identify people quickly and safely, rather than relying on passwords for mobile security.
FIDO is supported by internet giants such as Google and PayPal and is investigating alternative authentication technologies such as NFC chips, biometrics and one-time passwords, with a view to creating a standards-based system for passwordless authentication.
BlackBerry’s statement mentions services such as BBM and Protect, but is not specific about technologies or systems it might develop alongside FIDO.
Fan site CrackBerry said, “It’s easy to imagine this technology enabling BlackBerry devices to become security tokens in their own right for two-factor authentication. For example, you could set your PayPal account so that it could only authenticate transfers made from your BlackBerry since it has a unique and certified identity. Alternatively, you could set it so that with an additional PIN number punched in on the device, you could open doors with electronic locks, or start your car.”
“BlackBerry is deeply committed to remaining the Gold Standard in mobile security while providing a model for others to adopt and follow,” said Brian McBride, Technical Director for Identity at BlackBerry. “Offering safe, reliable access for our customers across the globe is inherent to everything BlackBerry does as an organization.”
FIDO aims to replace passwords with a secure, industry-supported protocol which is also easy to use. FIDO is investigating technologies such as  fingerprint scanners, voice and facial recognition, and existing solutions such as Near Field Communication (NFC) and One Time Passwords (OTP), with a view to creating an integrated solution.
“BlackBerry is among the first mobile platform and mobile device suppliers to engage with the FIDO Alliance to equip customers with easy-to-use strong authentication, allowing them to easily move from site to site securely without having to enter identifying information multiple times,” FIDO said in a statement.
PayPal have been vocal this year in their support of the group’s aims.
“Passwords are running out of steam as an authentication solution. They’re starting to impede the development of the internet itself,” PayPal’s Chief Information Security Officer Michael Barrett said at the Interop Las Vegas IT expo earlier this year.
“It’s pretty clear that we can’t fix it with a proprietary approach.”
Mr Barrett pointed out the results of passwords being published online after data breaches in recent years – showing that insecure passwords such as “12345” and “password” remain among the most commonly used
“Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”
No password can keep you entirely safe – a data breach may occur at the company or institution you are dealing with, and cybercriminals have all the time in the world to crack lists of encrypted passwords. Choosing a good one, though, will give you time to change yours once the news breaks

One in five internet users have had emails or social networks hijacked, Pew study finds

Internet users are becoming more savvy about keeping their private data safe – but many have already fallen victim to crime and scams, including having their emails or social networks hijacked, a study by the Pew Research Institute’s Internet Project has found.
One in five (21%) of internet users have had an email or social networking account compromised or taken over without their permission – and users also admitted to having lost private data or money, and even facing physical danger as a result of events online.
But awareness of risks appears to be rising, according to Pew, although the research institute says, “Most internet users would like to be anonymous online, but many think it is not possible to be completely anonymous.”
Pew said that the responses showed that ordinary internet users seemed to be more concerned with hackers, family members and companies misusing their data, than with government surveillance.
“Most internet users know that key pieces of personal information about them are available online – such as photos and videos of them, their email addresses, birth dates, phone numbers, home addresses, and the groups to which they belong,” Pew’s report states. “Growing numbers of internet users (50%) say they are worried about the amount of personal information about them that is online—a figure that has jumped from 33% who expressed such worry in 2009.”
Pew’s survey, of 792 internet users, was conducted with Carnegie Mellon University, and  found that a large majority (86%) of internet users are taking steps to remove or mask their “digital footprints”, with methods including clearing cookies and encrypting emails. More than half of internet users have taken such steps to avoid observations by specific individuals, organizations, or by the government.
Whether this caution is due to recent headlines about government use of internet data is still unclear. Pew’s study also found that a large percentage of internet users had already fallen victim to crimes or scams that “took advantage of their visibility online,” Pew said.
As well as the 21% who had had emails or social networks compromized, 12% reported being stalked or harrassed online, 11% had had important private information such as Social Security Numbers and banking information stolen.
More worryingly, 6% said they had lost money in online scams – while 6% said they had had their reputation damaged online, and another 4% said they had faced physical danger after an online event.
“Users clearly want the option of being anonymous online and increasingly worry that this is not possible,” said Lee Rainie, Director of the Pew Research Center’s Internet Project and an author of a report on the survey findings. “Their concerns apply to an entire ecosystem of surveillance. In fact, they are more intent on trying to mask their personal information from hackers, advertisers, friends and family members than they are trying to avoid observation by the government.”